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You actually configure the server with the client, so you go to server options, server config, and you have to set a modulus and a remainder value, and key 1 and key 2, which act as passwords, and then you have to specify an install directory, and the binary to Trojan.
You actually configure the server with the client, so you go to server config, and then you have to specify an install directory, and the binary to Trojan.
You actually configure the server with the client, so you go to server config, and the binary to Trojan.
You actually configure the server with the client, so you have to specify an install directory, and the binary to Trojan.
called kiss and then if I run that then I go back over to my GUI and I do options
and client configuration here I can choose if I want to spoof the source of
the packets if I want to get results and then you have to set the local IP and
port if you that you have to set the local IP that you're sending the packets
from so if you're behind a NAT Network it's bite specify the external IP of
your NAT box this is 60
and then I can save this as client H
and you see it's bound to the socket so that
that I can receive results because I checked the get options box.
The first option is ping and we specify the target here.
It doesn't matter what port we fire the commands to because that is irrelevant to the protocol
that KISS uses.
I can specify a random port and then I can send a ping and you see I get the ping response.
Shut down server obviously shuts down the server.
Remove server removes it so that it restores the binary that it backdoored.
If you look at the binary that I backdoored, it hasn't been modified.
It's on the same inode because it copies a backup and then redirects syscalls for file
statistics back over to the back.
Original file, so it looks unmodified.
Yes, and whenever you do remove, it replaces and restores the original binary the way it
was whenever you installed it.
I'm going to skip over a few of these features and come back to them.
List p-hides, this lists all the hidden processes on the machine.
I can hide processes.
Here I have two shells logged in or actually a lot.
Can you exit out of those shells?
Okay.
Okay.
So here I have three shells logged in and currently I'm on TTY3, the PTS3, and I see
the PID of the bash I'm running is 1152.
So I go over to my GUI and I enter in 1152, hide process, and it says PID 152 hidden.
So if I list processes in the terminal that's not hidden, I see 1152 is no longer listed
for shells running.
But inside the hidden process, I can still see it.
From here, it automatically hides any files, directories, network connections that I make
inside hidden processes.
So if I telnet out to another host, you don't see the connection in the connection listing.
.
Okay.
So, okay.
L-S-O-F won't pick it up either.
Oh, L-S-O-F is on my machine.
This is all done at the kernel level, so that bypasses L-S-O-F.
Do you handle K-STAT?
Which?
Do you handle K-STAT?
K-STAT?
K-STAT, actually, yes, and I'll get to that in a second.
And so inside hidden processes, I make a directory, and I look in my non-hidden process, and I don't see it.
And I can see it inside the hidden process.
I can change directory to it inside a hidden process.
I cannot change directory to it.
It looks like it does not exist.
You cannot.
You cannot.
You cannot stat these files.
You cannot rename them outside of hidden processes.
And another thing about the binary trojan, it redirects stuff like u-time to update the time on it,
so you can touch the file, and it will actually update the original that it's kept as backup.
So.
What happens if you in a non-hidden, sorry, in a normal shell, create something which is inside the hidden shell?
So you have to make a directory in your hidden shell, and the user wants to make one in the unhidden shell.
It returns a bad permission.
So, I mean, that's an unreversible way of detecting this.
But.
You'd have to know the exact file name.
But you can't really get around that.
That inside a non-hidden shell, if you try and make a directory or a file that's hidden,
if, what's the error message, or does it work for a user in a non-hidden shell?
And.
Hmm?
Nope.
Okay.
Proof is in the butter.
All right.
And you see that it says file exists.
You can return any error.
It's configurable to, you just change the error return value, so you can say eperm.
Any error you want.
You can even have it say that it doesn't have enough pageable memory, which confuses the hell out of people.
Okay.
Okay.
Okay.
I can unhide processes from the GUI.
I can remotely start processes as hidden or unhidden.
So if I do hidden cp etsy shadow to temp bob, it says it started the process as PID 1331.
And I see it copied the file, so.
All right.
So execution redirection.
A common problem that a lot of hackers run into is if you modify binaries on disk, then
if they're running a binary check, somewhere like tripwire, it'll catch that you've modified
the binary.
What this does is whenever you execute a program, it actually executes another program, but
it's transparent to user space, so the program thinks that it's running out of the location
that you specified to run.
So if I do bin chaon to bin ps, I see that I got a process listing when I run chaon.
So I can do this with sshd and have it actually execute a trojaned sshd.
And.
It would.
Any file sum checker would not pick this up.
Do you do that based off of the.
I know a number.
Do you do that based off of the strings?
Based off of the execve strings.
Okay.
So if I had a hard link to chaon, I would run the original from chaon?
No.
It's actually whenever it calls the execve syscall, it sees the string bin chaon, and
it redirects it to bin ps.
But.
But it doesn't modify argv, so the program thinks it's running as bin chaon.
Correct.
So lm chaon space foo, and then run foo, you still get the original.
Yes.
How does the bot have to have the XI program?
No.
I've got a command line client.
It's on my web page.
I'll mention that in a bit.
File system controls.
I can hide files, list the hidden files.
And there's two methods of hiding files.
The one that it ships by default, it actually keeps an internal linked list, so that there's
nothing, it doesn't modify anything to do with the file.
But a method that the Tesso guys and a few other people use was is they changed it to
a UID, and if the file matched that UID, then it would hide it from directory listings.
The problem with this is.
You can just pull through, change owning a file through all possible UIDs, and if it
disappears, you know you've been owned, and that's a problem.
Network control.
You can hide, unhide network connections.
If you specify just a port, it'll hide everything coming in from that port.
If you specify an IP colon zero, it'll hide all connections from that machine.
The plug-in interface, it has the capability to use kernel modules as plug-ins, or user
space binaries as kernel plug-ins.
Inside hidden processes, you can exec VE kernel functions.
So let me demonstrate that.
Okay.
Okay.
Well, here, I'll show you the code for this first.
So all this does is a standard exec VE of any arguments you pass in, and as the file
name parameter, if you pass in a zero, it won't print anything.
If it has return values, if you specify one, it'll print it out to the current TTY.
So I specified one so that I can see what I'm doing.
Okay.
And I can do, say, hide file temp, and it says temp hidden, and yeah, so that's pretty
self-explanatory.
Mm-hmm.
It's for Linux 2.2 and 2.4.
This is very kernel-specific code, because it is a kernel module, but you could easily
port it over to other platforms.
It performs because it's just concepts that you have to port over.
And so I can load plug-ins, and I'll get back to the plug-in interface after I talk
about the communication.
So this all communicates without listening ports.
The traffic can be spoofed both ways, and you can still get results, even if you spoof
it.
I can do a demonstration of that.
Okay.
Okay.
Okay.
So it's a good idea to use the server header file here, so you don't have to go through
the config again.
Hmm.
Oh, yeah.
I guess I can do that.
Just do a v and then do it.
Um.
Okay, so if I go back to my client config, I can select the spoof box and specify an
IP.
If I specify an IP of zero, it spoofs from a random source IP every time.
If I specify a port of zero, it spoofs from a random port every time.
An easy way to get through firewalls, since this is all loosely based on the UDP protocol,
it's routed as UDP, you can spoof source port 53 in the IP of their name server and
hop through a lot of firewalls.
So I'll just do random.
Yes, educational purposes.
As in like different levels of availability?
Of access to this?
In times of port, oh no, I can specify any port.
So I can specify nine, I don't get, all right, I could, yeah, so, all right, that's a good
port number, I think.
All right.
Okay, so I think this feature is broken under OpenBSD, I've only tested the client's spoofing
capabilities under Linux, but yeah.
So the way the communication works is I came to the problem that a lot of other remote
control agents, it's easy to tell if they're hooking the IP stack because it increases
the latency of the IP stack.
Okay.
And you can detect it with anti-sniffers.
So what I did was is whenever you set up the client or the server configuration, you specified
a modulus value, a remainder value, and the two keys.
What it does is when a packet comes in off the IP stack, it takes a modulus of the length
of the packet, and if the remainder matches, it's a possible command packet.
From there, it passes it on to SHA, where it takes the source IP, the destination IP,
the destination port, and shared secret one.
Which is key one, sends that through SHA, and XORs the packet with it, and if the first
part of the packet matches shared secret two, then it's a valid command packet.
This means if you change the port you're firing it to, it completely changes the encryption
key.
If you change the source IP, it changes the encryption key.
Yeah, so it can be signatured.
The traffic can't, that is.
So it doesn't automatically use spoof?
Yeah.
When it generates the IP when it's doing the encryption of the packets, it uses the IP
that it randomly generated as.
Excuse me.
No, if you change the port that you're sending the command to, it'll…
Oh, yes, yes.
It would be the same encryption system.
So, what else?
Okay, as far as the plug-in capabilities go,
you can just take and compile plug-ins.
There's a plug-in interface for the kernel that I wrote.
It uses the standard module loading capabilities.
You just have to define a few functions,
and all this does is send you back
what you specified as an argument.
So, I compile this.
Oh, yeah.
Okay, that's...
Red Hat 7.0 decided to,
switch with beta builds of GCC,
and so you get tons of assembler warnings
because that was a poor move on their part.
So, what I can do to load plug-ins is
I can either load them through the client,
or if I want them to load at startup,
I can just cat them to the back of the KISS server,
and they'll load...
It recursively loads anything you clip
onto the back of it.
And, yeah.
So...
Should we scream yes?
Yeah!
Yeah!
Okay, so, well, there's some other options.
Hey, hey, hey, hey, hey.
There's some other options I've got in here as well.
There's, you can define, by default,
it ships this way, anti-security,
which means anti-security modules.
It can actively disable...
Every kernel-based IDS I've found.
Without it knowing about it.
And if you want to add new modules to the list,
it's really easy.
You just edit the KISS header file,
or KISS C file.
Let me look.
So, you just add a string compare.
You can choose to either let it load
and then disable it,
or just never let it load and not tell the user.
Right now, it actively disables Carbonite,
the Linux Mac implementation,
St. Michael and St. Jude.
What if the modules are not in the mod list?
In the mod list?
The newer versions of St. Michael,
it has to be, would remove itself from the modules.
Yeah, it'll find it in memory and remove it.
The same way it finds itself in memory and removes it.
Oh, yeah, by the way, I didn't show this,
but if you do an LS mod,
it doesn't show any...
It doesn't show that...
The KISS is loaded.
And this is all done in the module itself,
as opposed to the way St. Michael does it,
by loading a secondary module,
which removes it from the list,
and that's very easily flagged.
And once it's doing the initialization process
is when I remove it.
And if it's already loaded,
it'll just find it in kernel space and unload it.
And other options that it has,
you can define elite GID,
and you can define elite GID,
and use GID-based hiding.
This is the method I talked about before,
where you can easily find it
if you just chaon a file over and over and over
until finally the file disappears.
What's another option I added?
Oh, no, that's it.
That's all I should put.
There's other things in development.
Yeah, there's other plugins in development.
And the plugin interface is very easy to learn,
and you don't have to deal with interfaces.
Interrupts from user space.
You had a question?
Yeah.
Somebody has decided to use my server
for educational purposes.
Is there a way to find this is on there?
Currently,
you could detect this version with Kstat.
I've got other code which will beat Kstat.
It's a plugin to this.
That may or may not be made public.
Depending on the reaction
of the security community to this.
Okay.
Actually, here's the funny thing.
Here's the funny thing.
About a year and a half ago,
I wrote a completely in-the-kernel
signed module loader
so that you kept a signing tool
and a key on another machine or file.
And you just signed all the modules
you wanted to load into kernel space.
So that it would only load verified code
into kernel space.
And I had 50 downloads in six months.
So I just took it off my website
because apparently people weren't concerned with this,
even though it's a big problem.
In other words,
it's a little too late.
Yeah.
Let's say my blogger's compromised
and they started using it as a file dumping place.
If someone stole a file from me,
and we can take it back,
like, did it just freak
when I didn't see the file size
and free space change?
Yes, actually you would
because you can't hide that
on Extended To or Riser.
I don't know about other file systems.
But if you mounted something
using DataFast
and used your remote driver?
Yeah.
Well, here's a way to detect it,
but it involves downing the machine.
If you do a find
and just map out your whole hard drive,
like, from root,
and then you shut the machine down,
boot off of another disk,
and then mount that drive,
not as root, however,
and then map it out.
If you see any hidden files
that weren't there before,
then that's probably where it's located,
and there's a nice backup of it kept there
of your original file
so you can restore it.
Anything else?
Do you do anything to hide from misuse mode?
I've got a module
which is on my web page,
a plug-in for this,
that does that.
If you're inside a hidden process
and you throw the device
into promiscuous mode,
it won't show that it's hidden
or that it's in promiscuous mode,
but if you do it as an admin,
it will.
Go along with that
on both sides of the misuse mode?
Are both sides?
No, the client actually listens on a port.
It's standard UDP traffic.
No one wins.
No one wins back.
Do you run it as a defensive purpose
on your own network?
They're on service,
and it's over-exited today
trying to run it for malicious purposes.
Can that just be broken in
and the attacks that you're actually running
on your server?
KISS also has anti-KISS capabilities
so that you can use it as a...
You can use it as...
It's very easy
if you just drop in plug-ins
to make it a security,
but if you don't,
you can make it into whatever you want,
and it would be great
for the HoneyNet project
for remotely managing machines.
No, they'd have to know the modulus,
the remainder value,
and both shared secrets.
It's standard GTK.
This is open BSD,
but I don't know
why the raw socket is open.
The sockets don't work on this right now.
I'm root, and...
Wait, wait, wait, wait.
I'm back.
I just wanted to say,
I use Linux,
and I think what you're saying,
I don't really understand a lot of it,
but I think what you're saying
is that what you're doing for Linux
is making it bad,
and I use Linux 2.4,
and it's really good.
I just think this is really bad.
I like Linux.
Yellow.
Woo!
Yeah.
You do this,
and it's so funny,
and you're laughing at it,
but you know what?
You is not laughing.
Richard Schultz is not laughing.
It's really bad.
It's really bad.
Richard Schultz is not laughing.
It's really bad.
It's really bad.
It's really bad.
It's really bad.
It's really bad.
It's really bad.
I like women! I like women! I like women!
Give me back my girl!
Give me back my girl!
My website is uberhexor.net
U-B-E-H-A-X-0-R.net
U-B-E-H-A-X-0-R.net
and then the download site is forward slash kiss
but there's a link to it off the main page.
Should we taunt for awareness?
I think we should taunt them.
Okay.
Dude, quality HTML.
I added my first picture to the web.
Alright, alright.
Alright, alright.
Make sure you shake stuff.
Uh!
Make sure you check stuff.
Show me your hands.
Show me something necessary.
Forward!
You can do that.
Yeah, boot them.
They won't boot, but...
All right, so that's it.
